More TLS improvements

rfm · rfm · commit 0b5205854485 · 2026-05-08T17:04:15.000+01:00
diff --git a/ChangeLog b/ChangeLog
@@ -2,7 +2,10 @@
 
 	* Source/GSTLS.m: Enable strict host certificate verification by
 	default and use available server name for host name verification
-	if it is set.  This is a big deal as it alters the behavior of
+	if it is set.  Improve printing certificate and other debug.
+	Fix bug checking remote host name, and change to use system trust
+	list (if possible) in preference to the one in the gnustep bundle.
+	This is a big deal as it alters the behavior of
 	NSURL (and the NSURLHandle/NSURLConnection APIs) so that they will
 	now fail to send the HTTPS request if the remote host has a bad
 	certificate (not trusted or secure enough etc).  When the APIs were
@@ -16,6 +19,12 @@
 	is only activated by programattically setting TLS configuration for a
 	connection, so code which wants certificate verification should be
 	setting the option to get it anyway.
+	modified:   Source/GSTLS.m
+	* Tests/base/NSStream/socket.m:
+	* Tests/base/NSURL/test02.m:
+	* Tests/base/NSURLConnection/Helpers/NSURLConnectionTest.m:
+	* Tests/base/NSURLConnection/test02.m:
+	Update tests to disable hostname validation where we are using bad certs
 
 2026-05-07 Richard Frith-Macdonald <rfm@gnu.org>
 
diff --git a/Source/GSTLS.m b/Source/GSTLS.m
@@ -131,8 +131,9 @@ static int gcry_mutex_unlock(void **lock)
 
 /* The caFile variable holds the location of the file containing the default
  * certificate authorities to be used by our system.
- * The hard-coded value is a file in the GSTLS folder of the base library
- * resource bundle, but this can be overridden by the GS_TLS_CA_FILE
+ * The hard-coded value is the GNUTLS system default set, with a fallback to
+ * a file in the GSTLS folder of the base library resource bundle,
+ * but this can be overridden by the GS_TLS_CA_FILE
  * environment variable, which in turn will be overridden by the GSTLSCAFile
  * user default string.
  */
@@ -244,12 +245,6 @@ + (void) _defaultsChanged: (NSNotification*)n
         {
           str = [env objectForKey: @"SSL_CERT_FILE"];
         }
-      if (nil == str)
-        {
-          str = [bundle pathForResource: @"ca-certificates"
-                                 ofType: @"crt"
-                            inDirectory: @"GSTLS"];
-        }
     }
   str = standardizedPath(str);
   ASSIGN(caFile, str);
@@ -608,98 +603,26 @@ @implementation GSTLSCertificateList
 
 + (void) certInfo: (gnutls_x509_crt_t)cert to: (NSMutableString*)str
 {
-#if GNUTLS_VERSION_NUMBER >= 0x030507
-  gnutls_datum_t    dn;
-#else
-  char            dn[1024];
-  size_t          dn_size = sizeof(dn);
-#endif
-  char            serial[40];
-  size_t          serial_size = sizeof(serial);
-  time_t          expiret;
-  time_t          activet;
-  int             algo;
-  unsigned int    bits;
-  int             i;
-
-  [str appendFormat: _(@"- Certificate version: #%d\n"),
-    gnutls_x509_crt_get_version(cert)];
-
-#if GNUTLS_VERSION_NUMBER >= 0x030507
-  if (GNUTLS_E_SUCCESS == gnutls_x509_crt_get_dn3(cert, &dn, 0))
-    {
-      [str appendFormat: @"- Certificate DN: %@\n",
-        [NSString stringWithUTF8String: (const char*)dn.data]];
-      gnutls_free(dn.data);
-    }
-  if (GNUTLS_E_SUCCESS == gnutls_x509_crt_get_issuer_dn3(cert, &dn, 0))
+  gnutls_datum_t	dn = { 0, 0 };
+  int           	ret;
+
+  ret = gnutls_x509_crt_print(cert, GNUTLS_CRT_PRINT_FULL, &dn);
+  if (0 == ret)
+    {
+      NSString	*tmp;
+
+      tmp = [[NSString alloc] initWithBytesNoCopy: dn.data
+					   length: dn.size
+					 encoding: NSUTF8StringEncoding
+				     freeWhenDone: YES];
+      [str appendString: tmp];
+      RELEASE(tmp);
+    } 
+  else 
     { 
-      [str appendFormat: _(@"- Certificate Issuer's DN: %@\n"),
-        [NSString stringWithUTF8String: (const char*)dn.data]];
-      gnutls_free(dn.data);
-    }
-#else
-  dn_size = sizeof(dn) - 1;
-  gnutls_x509_crt_get_dn(cert, dn, &dn_size);
-  dn[dn_size] = '\0';
-  [str appendFormat: @"- Certificate DN: %@\n",
-    [NSString stringWithUTF8String: dn]];
-
-  dn_size = sizeof(dn) - 1;
-  gnutls_x509_crt_get_issuer_dn(cert, dn, &dn_size);
-  dn[dn_size] = '\0';
-  [str appendFormat: _(@"- Certificate Issuer's DN: %@\n"),
-    [NSString stringWithUTF8String: dn]];
-#endif
-
-  activet = gnutls_x509_crt_get_activation_time(cert);
-  [str appendFormat: _(@"- Certificate is valid since: %s"),
-    ctime(&activet)];
-
-  expiret = gnutls_x509_crt_get_expiration_time(cert);
-  [str appendFormat: _(@"- Certificate expires: %s"),
-    ctime (&expiret)];
-
-#if 0
-{
-  char        digest[20];
-  size_t      digest_size = sizeof(digest);
-  if (gnutls_x509_fingerprint(GNUTLS_DIG_MD5,
-    &cert_list[0], digest, &digest_size) >= 0)
-    {
-      [str appendString: _(@"- Certificate fingerprint: ")];
-      for (i = 0; i < digest_size; i++)
-        {
-          [str appendFormat: @"%.2x ", (unsigned char)digest[i]];
-        }
-      [str appendString: @"\n"];
-    }
-}
-#endif
-
-  if (gnutls_x509_crt_get_serial(cert, serial, &serial_size) >= 0)
-    {
-      [str appendString: _(@"- Certificate serial number: ")];
-      for (i = 0; i < serial_size; i++)
-        {
-          [str appendFormat: @"%.2x ", (unsigned char)serial[i]];
-        }
-      [str appendString: @"\n"];
-    }
-
-  [str appendString: _(@"- Certificate public key: ")];
-  algo = gnutls_x509_crt_get_pk_algorithm(cert, &bits);
-  if (GNUTLS_PK_RSA == algo)
-    {
-      [str appendFormat: _(@"RSA - Modulus: %d bits\n"), bits];
-    }
-  else if (GNUTLS_PK_DSA == algo)
-    {
-      [str appendFormat: _(@"DSA - Exponent: %d bits\n"), bits];
-    }
-  else
-    {
-      [str appendString: _(@"UNKNOWN\n")];
+      [str appendString: @"Unknown"];
+      NSLog(@"-certInfo:to: failed with '%s'", gnutls_strerror(ret));
+      if (dn.data) free(dn.data);
     }
 }
  
@@ -1303,13 +1226,57 @@ + (GSTLSCredentials*) credentialsFromCAFile: (NSString*)ca
                 {
                   c->trust = YES;   // Loaded at least one trusted CA
                 }
-              if (YES == debug)
+              if (debug)
                 {
                   NSLog(@"Default trusted authorities (from %@): %d",
                    dca, ret);
                 }
             }
         }
+      else
+	{
+          const char    *path;
+          int           ret;
+
+	  /* Try system sertificates, and if those fail, try base library ones.
+	   */
+	  ret = gnutls_certificate_set_x509_system_trust(c->certcred);
+	  if (ret < 0)
+	    {
+	      NSBundle	*bundle = [NSBundle bundleForClass: [NSObject class]];
+	      NSString	*str;
+
+	      str = [bundle pathForResource: @"ca-certificates"
+				     ofType: @"crt"
+				inDirectory: @"GSTLS"];
+	      str = standardizedPath(str);
+	      path = [str gnutlsFileSystemRepresentation];
+	      ret = gnutls_certificate_set_x509_trust_file(c->certcred,
+		path, GNUTLS_X509_FMT_PEM);
+	      if (ret >= 0)
+		{
+		  if (debug)
+		    {
+		      NSLog(@"Default trusted authorities (from base) %d", ret);
+		    }
+		  if (ret > 0)
+		    {
+		      c->trust = YES;   // Loaded at least one trusted CA
+		    }
+		}
+	    }
+	  else
+	    {
+              if (debug)
+                {
+                  NSLog(@"Default trusted authorities (from O/S) %d", ret);
+                }
+	      if (ret > 0)
+		{
+		  c->trust = YES;   // Loaded at least one trusted CA
+		}
+	    }
+	}
 
       /* Load any specified trusted authority certificates.
        */
@@ -2073,12 +2040,13 @@ - (BOOL) handshake
       ret = [self verify];
       if (ret < 0)
         {
-          if (globalDebug > 1 || (requireVerified && globalDebug > 0)
+          if (globalDebug > 1
+	    || (requireVerified && globalDebug > 0)
             || YES == [[opts objectForKey: GSTLSDebug] boolValue])
             {
               NSLog(@"%p unable to verify SSL connection - %s",
                 handle, gnutls_strerror(ret));
-              NSLog(@"%p %@", handle, [self sessionInfo]);
+              NSLog(@"%p failed verify:\n%@", handle, [self sessionInfo]);
             }
           if (requireVerified)
             {
@@ -2371,7 +2339,8 @@ - (NSString*) sessionInfo
               gnutls_x509_crt_import(cert,
                 &cert_list[cert_num], GNUTLS_X509_FMT_DER);
 
-              [str appendFormat: _(@"- Certificate %d info:\n"), cert_num];
+              [str appendFormat: _(@"- Index %d of %d, "),
+		cert_num, cert_list_size];
 
               [GSTLSCertificateList certInfo: cert to: str];
 
@@ -2405,6 +2374,7 @@ - (int) verify
 {
   NSArray               *names;
   NSString              *str;
+  NSMutableString       *ci;
   unsigned int          status;
   const gnutls_datum_t  *cert_list;
   unsigned int          cert_list_size;
@@ -2521,6 +2491,9 @@ - (int) verify
 #endif
     }
 
+  ci = [NSMutableString stringWithCapacity: 2000];
+  [GSTLSCertificateList certInfo: cert to: ci];
+
   str = [opts objectForKey: GSTLSRemoteHosts];
   if (nil == str)
     {
@@ -2557,7 +2530,7 @@ - (int) verify
 
       while (nil != (name = [enumerator nextObject]))
         {
-          if (0 == gnutls_x509_crt_check_hostname(cert, [name UTF8String]))
+          if (gnutls_x509_crt_check_hostname(cert, [name UTF8String]))
             {
               found = YES;
               break;
@@ -2566,26 +2539,25 @@ - (int) verify
       if (NO == found)
         {
           str = [NSString stringWithFormat:
-            @"TLS verification: certificate's hostname does not match '%@'",
-            names];
+            @"TLS verification: hostname does not match '%@' in %@",
+            names, ci];
           ASSIGN(problem, str);
           gnutls_x509_crt_deinit(cert);
           if (YES == debug) NSLog(@"%p %@", handle, problem);
           return GNUTLS_E_CERTIFICATE_ERROR;
         }
     }
 
-  gnutls_x509_crt_deinit(cert);
-
   names = [opts objectForKey: GSTLSIssuers];
   if ([names isKindOfClass: [NSArray class]])
     {
       if (nil == issuer || NO == [names containsObject: issuer])
         {
           str = [NSString stringWithFormat:
-            @"TLS verification: certificate's issuer does not match '%@'",
-            names];
+            @"TLS verification: issuer does not match '%@' in %@",
+            names, ci];
           ASSIGN(problem, str);
+	  gnutls_x509_crt_deinit(cert);
           if (YES == debug) NSLog(@"%p %@", handle, problem);
           return GNUTLS_E_CERTIFICATE_ERROR;
         }
@@ -2597,14 +2569,16 @@ - (int) verify
       if (nil == owner || NO == [names containsObject: owner])
         {
           str = [NSString stringWithFormat:
-            @"TLS verification: certificate's owner does not match '%@'",
-            names];
+            @"TLS verification: owner does not match '%@' in %@",
+            names, ci];
           ASSIGN(problem, str);
+	  gnutls_x509_crt_deinit(cert);
           if (YES == debug) NSLog(@"%p %@", handle, problem);
           return GNUTLS_E_CERTIFICATE_ERROR;
         }
     }
 
+  gnutls_x509_crt_deinit(cert);
   return 0;     // Verified
 }
 
diff --git a/Tests/GNUmakefile b/Tests/GNUmakefile
@@ -72,7 +72,6 @@ check::
 		export ADDITIONAL_LDFLAGS;\
 		export LD_LIBRARY_PATH;\
 	fi; \
-	export GS_TLS_VERIFY_S=NO;\
 	export GNUSTEP_LOCAL_ADDITIONAL_MAKEFILES;\
 	export ADDITIONAL_INCLUDE_DIRS;\
 	export ADDITIONAL_LIB_DIRS;\
diff --git a/Tests/base/NSStream/socket.m b/Tests/base/NSStream/socket.m
@@ -109,13 +109,15 @@ int main()
 {
   NSAutoreleasePool   *arp = [NSAutoreleasePool new];
   NSRunLoop *rl;
+  NSString *name;
   NSHost *host;
   Listener *li;
   NSDate *d;
 
   rl = [NSRunLoop currentRunLoop];
-  host = [NSHost hostWithName: @"www.google.com"];
-  //host = [NSHost hostWithName: @"localhost"];
+  name = @"www.google.com";
+  //name = @"localhost";
+  host = [NSHost hostWithName: name];
 
 #if 1
   li = [[Listener new] autorelease];
@@ -161,6 +163,8 @@ int main()
 		       forKey: NSStreamSocketSecurityLevelKey];
     [defaultOutput setProperty: NSStreamSocketSecurityLevelNegotiatedSSL
 			forKey: NSStreamSocketSecurityLevelKey];
+
+    [defaultOutput setProperty: name forKey: GSTLSServerName];
     [defaultInput open];
     [defaultOutput open];
 
diff --git a/Tests/base/NSURL/test02.m b/Tests/base/NSURL/test02.m
@@ -113,6 +113,15 @@ int main()
   [request setHTTPBody: data];
   [request setHTTPMethod: @"POST"];
 
+/* Our test certificate is self-signed and out of date ... don't require
+ * the server to be verified.
+ */
+#if defined(GNUSTEP_BASE_LIBRARY)
+  [NSURLProtocol setProperty: @"NO"
+                      forKey: GSTLSVerify
+                   inRequest: request];
+#endif
+
   // sending the request
   [NSURLConnection sendSynchronousRequest: request
 			returningResponse: &response
diff --git a/Tests/base/NSURLConnection/Helpers/NSURLConnectionTest.m b/Tests/base/NSURLConnection/Helpers/NSURLConnectionTest.m
@@ -109,6 +109,15 @@ - (void)startTest:(id)extra
       [s addObject: @"NSRunLoop"];
     }
 
+/* Our test certificate is self-signed and out of date ... don't require
+ * the server to be verified.
+ */
+#if defined(GNUSTEP_BASE_LIBRARY)
+  [NSURLProtocol setProperty: @"NO"
+		      forKey: GSTLSVerify
+		   inRequest: _request];
+#endif
+
   _conn = [[NSURLConnection alloc] initWithRequest: _request
 					  delegate: self];
 
diff --git a/Tests/base/NSURLConnection/test02.m b/Tests/base/NSURLConnection/test02.m
